Can I force wireless to only function via VPN?
January 14, 2008 10:24 AM   Subscribe

How do I force WiFi to only work through VPN on company laptops?

I'm behind on my wireless connectivity hacks. I work in an environment which needs tight information security, so all our connections have been wired-only until now.

But we have new needs to send laptops out to the field, work from home, etc. So I need a way to protect these machines once the've left the nest. Intrusion security would be handled by endpoint security software (anti virus/spyware/firewall), so I'm not worried about that so much. But folks will be connecting to the internet via home networks with WEP or less, hotspots, etc. And they're on their own there. I don't want their keys cracked or their packets intercepted, as much as is possible.

I know that a connection can be set up which uses VPN; but from what I can tell, it's voluntary - you can choose to use it or not. I know from past experience that if the secure method is optional and/or takes a few more steps, users will go with the non-secure method more often than not. I'd like this to be automatic, so that it's both invisible or transparent to an end user, and not something they can turn off or choose not to use.

What I'd like to do is configure these machines (all various flavors of ThinkPads, BTW) so that once Wi-Fi is established, a VPN connection would be non-optional. I'd like to set up a web proxy here at HQ as the other end of that VPN, and have all those company laptop connections go through it for internet access, for security and activity monitoring. So you fire up wireless, connect to some available network, then *some magic happens* and if you want internet, it has to go through the VPN/proxy at HQ. That would secure all wireless access, right? Much of their access would be back to company data & email anyway, and awareness that the internet connection is passing through filtering/monitoring at HQ should keep people from torrenting porn on the company laptop while they're on the road.

Laptop -> potentially unsafe Wifi AP -> no internet in or out on laptop except via VPN -> monitoring/safeguarding proxy back at HQ -> The Internets

This is possible, or even commonly done, right?
Like I said, it's new to me and I may not be thinking about this the right way. Please correct me if my assumptions are wrong. If this can be done via some software that runs automatically, I'd like to hear about it. (These are all Thinkpads - can this be done via the Access Connections software we've never used?). If it's a configuration to set up on these machines and something back at HQ, please point me at some resources where I can learn to set up & manage this.

Advise me, O Wise Hive Mind! How do I force VPN-only?
posted by bartleby to Computers & Internet (4 answers total) 3 users marked this as a favorite
You could install a third-party firewall, put your VPN on oddball addresses, and block all connections to anything that's not on those addresses. Actually, depending on the firewall, it may be possible to block by interface; in that case you block all but the VPN server on the Wifi interface, but leave the VPN interface wide open.
posted by kindall at 10:41 AM on January 14, 2008

This is possible, or even commonly done, right?

I've worked for various large companies that take information security seriously and have not seen this practice. Generally the people in the field are forced to use VPN because thats the only way to allow access to the applications they need to do their job. Or the applications themselves communicate securely over the Internet.

If you force people to use VPN when they dont need it, you may end up with the opposite security problem - your guys leaving their laptops unattended while providing unrestricted access to your internal network.
posted by vacapinta at 11:45 AM on January 14, 2008

Before you decide this is a hardware/network security problem rather than an information security problem, you should figure out what your support budget is for this. If people on the road cannot access the internet due to this idea, you are going to have a lot of calls indeed, and they won't be short. Also, if they can't get to the internet, you aren't going to be able to remote-control their machines if that's something you already do.

That said, there may be some kind of DUN scripting you can use (if these are Windows machines).
posted by rhizome at 12:40 PM on January 14, 2008

Response by poster: @vacapinta: I get what you mean. if it was just a matter of securing Outlook or something, then the VPN connection could be set up just for that. And I'm sure there's a way to restrict any connections to company resources so that they can be reached only through VPN authentication of some kind.

What I'm ultimately I'm looking for something that will secure/monitor ALL their internet access when they're out on their own. Having it all go through a VPN back through HQ was the first thing that came to mind.

@rhizome: it's a new field for me, so I'm trying to find the best solution. You make a good point about this failing if people can't get out to the intenet in the first place; which is why I'm looking for something automatic, so that there's as little additional support overhead as possible. They connect to an access point, then it's VPN-proxy-only traffic from there.

@all: if there IS some kind of script (if wifi: close all ports but VPN, launch VPN app) out there, please point me towards it if you can.
posted by bartleby at 1:11 PM on January 14, 2008

« Older A traveler without observation is a bird without...   |   Toronto Pottery Throw-Down Newer »
This thread is closed to new comments.